Draft for discussion purposes only
Jul 07, 2015
Draft for discussion purposes only
Draft for discussion purposes only
•
–
–
–
–
–
–
•
–
–
–
–
Draft for discussion purposes only
Draft for discussion purposes only
•
•
•
•
Draft for discussion purposes only
Draft for discussion purposes only
Rapid technological developments that led to jeopardizing privacy
1950
European Convention on Human Rights
1995
Need for regulation:
European General Privacy Directive (95/46/EC)
2001
Dutch Personal Data Protection Act
2012
Proposal for a new EU regulation
Equal level of personal data protection
in all EU Member States
Draft for discussion purposes only
Draft for discussion purposes only
A legal ground for
processing of Personal Data
must exist
Obligation to implement
technical and organisational
measures in order to secure
Personal Data
Applicable retention periods
regarding Personal Data
Obligation to inform data
subjects
Additional requirements apply
when transferring Personal
Data outside the EU
A data processing
agreement between parties
needs to be in place
Obligation to notify the
AuthoritiesData subject rights
Personal data shall be
collected for specific,
explicitly defined and
legitimate purposes
Draft for discussion purposes only
•
•
•
•–
•–
•–
•–
•–
•–
•
•
•
•
•
Draft for discussion purposes only
Draft for discussion purposes only
Brand Risk
• Branding and
positioning
• Risk to brand from
privacy breach
• Potential
inconsistencies
between policies
and practices
• Employee privacy in
multinational companies
• Requires localized and tailored
approach
• Multiple
jurisdictions
of privacy regulations
• Country specific compliance
• Legal solutions for EU data
transfers such as Safe
Harbor or model contracts
• Industry specific privacy codes of
conduct Employee
Data Mgmt
Increased
Regulation
Customer
/Student
Sensitivity
• Sensitivity to aggressive
marketing practices
• Existing privacy policies
and client expectations
• Differing perspectives and
expectations
• Procedures for
responding to privacy
complaints
• Relationships with partners,
vendors and service providers
• Inconsistent implementation of
privacy practices among
independent organizations
• Who has responsibility
and associated
liability for privacy?
• Web-based e-commerce
applications interact with
clients online
• Use of personalization
technologies such as
cookies, smart tags, unique
identifiers, client profiles,
etc.
• Information exchange
economy
• CRM and HRIS
systems centralizes client and
employee data from around
the world
Globalization
Advances in
Technology
Extended
Enterprise
Draft for discussion purposes only
Business needs
• Direct and viral marketing
initiatives
• Centralized vs. decentralized
databases (ERP, CRM, Legacy)
• Data mining and business
intelligence
• Replication and synchronization
of information
• Personalized
client/student/employee
experiences
Privacy Requirements
• Processed fairly and lawfully
• Collected for specific, explicit, and
legitimate purposes
• Adequate, relevant, and not
excessive
• Accurate and secure
• Not kept longer than necessary
• Processed in accordance with
data subject’s rights
• Not transferred to countries with
inadequate protection
Draft for discussion purposes only
© 2012 Deloitte The Netherlands
Risk Assessment
Metrics and Reporting
Technology Procedures
Strategy
Policies
AuditAnd Compliance
EvaluationAnd Adjustment
Organization
Communications,
Training, Awareness
Draft for discussion purposes only
•
–
–
•
–
–
•
–
–
Draft for discussion purposes only
Resilience is the new protection
Static
Perimeter
Keep out
Dynamic
Open & Connected
Detect and Respond
Traditional blocking approach Next generation resilience approach
Resilience is the ability to detect a breach timely and respond adequately.
Draft for discussion purposes only
Draft for discussion purposes only
Draft for discussion purposes only
Deloitte Digital
Draft for discussion purposes only
Draft for discussion purposes only
Draft for discussion purposes only
Deloitte Digital
Draft for discussion purposes only
Deloitte Digital
Draft for discussion purposes only
Deloitte Digital
Draft for discussion purposes only
Deloitte Digital
Draft for discussion purposes only
Deloitte Digital
Draft for discussion purposes only
Draft for discussion purposes only
Draft for discussion purposes only
Deloitte Digital
Draft for discussion purposes only
Draft for discussion purposes only
Can I alter guess other accounts?
What are the other account numbers?
What else can be uploaded?
What if I alter this number?
Can I access administrator pages?
Can transaction be manipulated?
Draft for discussion purposes only
Deloitte Digital
Draft for discussion purposes only
•
•
•
•
•
•
•
•
•
•
•
•
Draft for discussion purposes only
Deloitte Digital
Annika Sponselee
Senior Manager
+31 (0) 6 1099 9302
Rob Muris
Senior Consultant
+31 (0) 6 1099 9133
Draft for discussion purposes only
Draft for discussion purposes only